Amazon Exam SCS-C02 Topic 1 Question 47 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 47
Topic #: 1

[Infrastructure Security]

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.

Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

AHave a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

BConfigure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

CConfigure automatic rotation of credentials in AWS Secrets Manager.

DStore the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.

EConfigure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
By configuring the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials, you can avoid hard-coding the credentials in your application code or configuration files. This way, your application can dynamically obtain the latest credentials from Secrets Manager whenever the password is rotated, without needing to restart or redeploy the application.To enable this, you need to grant permission to the instance role associated with the EC2 instance to access Secrets Manager using IAM policies2.You can also usethe AWS SDK for Java to integrate your application with Secrets Manager3.

Show Suggested Answer

Suggested Answer: C, E, E

AWS Secrets Manager is a service that helps you manage, retrieve, and rotate secrets such as database credentials, API keys, and other sensitive information. By configuring automatic rotation of credentials in AWS Secrets Manager, you can ensure that your secrets are changed regularly and securely, without requiring manual intervention or application downtime.You can also specify the rotation frequency and the rotation function that performs the logic of changing the credentials on the database and updating the secret in Secrets Manager1.

by Clay at Jul 04, 2025, 05:04 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Kimberlie

3 days ago

I'd go with C and E. Automating credential rotation and dynamically retrieving updated creds from Secrets Manager is the way to go. No more hard-coded passwords to worry about!

upvoted 0 times

...

Vesta

13 days ago

I agree with Sarina. Option C seems like the most secure and efficient way to handle credential rotation.

upvoted 0 times

...

Sarina

17 days ago

I think option C is the best choice because it allows for automatic rotation of credentials.

upvoted 0 times

...